zsdc wrote: > Chuck Fox wrote: > > > >> Sometimes "dumb users" can be quite creative: > >> > >> <a > >> href="http://sitefinder.verisign.com/lpc?url='%3E%3Cimg%20src=http://www.patrick.fm/boobies/boobies.php?text=VeriSign%3E";>I > >> Love VeriSign</a> > >> [...] > > > > No matter how foolproof you make, the fools keep getting smarter. > > > > Chuck > > That's not entirely true. As this examples shows, VeriSign programmers > made a very stupid mistake causing the cross-site scripting > vulnerability. They assumed they know how the input looks like, so > there's no need to properly quote it before printing. > > Making their website show nudity may be funny but reading their users' > cookies and personal login information might be much less funny. It > could be easily avoided. > > If anything an attacker has to do in order to break their security is to > fool any one of their users to click a link > *.verisign.com/x=%20%22%27%3E... (or even automatically redirect anyone > to such a link) then it is a very serious and easily expliotable > vulnerability. > > Considering VeriSign's gigantic user base and the rank of information > they manage (not to mention it's a website to which they will point any > non-existing DNS records very soon) it's absolutely terrifying. I would > immediately fire anyone responsible for this flaw without asking any > question. > > The bottom line is: you can write a foolproof CGI script. It's not even > very hard. Use CGI.pm with $CGI::POST_MAX (and $CGI::DISABLE_UPLOADS > when appropriate) to get the input. Use CGI::Untaint to validate it. Use > DBI placeholders and html-escape any printed data coming from user. Use > the taint mode. > > Don't give up just because fools keep getting smarter.
Looks like they plugged the hole. Follow the link now, and you get a search page at VeriSign, titled VeriSign | Try Again Joseph -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
